CVE-2023-27482
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass authentication and access the Supervisor API in Home Assistant, potentially gaining full control over the home automation system. It affects all Home Assistant installations using Supervisor 2023.01.1 or older, except container-based or manual Python installations. The vulnerability has been patched and auto-updated to most systems.
💻 Affected Systems
- Home Assistant Supervisor
📦 What is this software?
Home Assistant by Home Assistant
Supervisor by Home Assistant
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, access sensitive home automation data, modify device configurations, and potentially pivot to other network devices.
Likely Case
Unauthorized access to Supervisor API allowing attackers to install malicious add-ons, modify system configurations, or access sensitive home automation data.
If Mitigated
No impact if systems are patched to Supervisor 2023.03.1+ or Home Assistant Core 2023.3.0+, or if not exposed to the internet.
🎯 Exploit Status
Detailed exploit documentation and proof-of-concept available in public advisories. Authentication bypass is straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Supervisor 2023.03.1 or Home Assistant Core 2023.3.0
Vendor Advisory: https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
Restart Required: Yes
Instructions:
1. Check current Supervisor version via Supervisor panel or CLI. 2. If on Supervisor 2023.01.1 or older, update to 2023.03.1+. 3. For Home Assistant Core, update to 2023.3.0+. 4. Most systems should have auto-updated via Supervisor's auto-update feature.
🔧 Temporary Workarounds
Network Isolation
allRemove internet exposure for Home Assistant instance
# Configure firewall to block external access to Home Assistant ports (typically 8123)
🧯 If You Can't Patch
- Immediately remove internet exposure/port forwarding for Home Assistant
- Implement network segmentation to isolate Home Assistant from critical systems
🔍 How to Verify
Check if Vulnerable:
Check Supervisor version in Home Assistant UI under Supervisor → System or via CLI: ha supervisor infoCheck Version:
ha supervisor info | grep versionVerify Fix Applied:
Confirm Supervisor version is 2023.03.1+ or Home Assistant Core is 2023.3.0+📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API access to Supervisor endpoints
- Unexpected add-on installations or modifications
- Authentication bypass attempts in logs
Network Indicators:
- Unusual API calls to Supervisor endpoints from external IPs
- Traffic to Supervisor API without authentication headers
SIEM Query:
source="home-assistant" AND ("supervisor" OR "api") AND status="200" AND auth="none"🔗 References
- https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
- https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
- https://www.elttam.com/blog/pwnassistant/
- https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/
- https://github.com/elttam/publications/blob/master/writeups/home-assistant/supervisor-authentication-bypass-advisory.md
- https://github.com/home-assistant/core/security/advisories/GHSA-2j8f-h4mr-qr25
- https://www.elttam.com/blog/pwnassistant/
- https://www.home-assistant.io/blog/2023/03/08/supervisor-security-disclosure/
